Category: Organisations

Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.

The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.

Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.

Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.

Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.

Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.

RSA key generatorPlaystation breach – Sony contrite

Things to remember

most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).

boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.

If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important

the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!

Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.

That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.

Is it possible for health practitioners to achieve information security? Maybe a better question is “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?

Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.

I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.

Criminals follow the money

According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC). With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.

Terrorist vector? Probably not.

The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.

However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.

One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.

Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.

Beyond the extreme, privacy compromise and fraud

Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!

I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.

We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.

Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include

Diversion of fee revenue

Diversion of controlled items (eg drugs)

Collusion with suppliers; and

Diversion of accounts receivable.

The same methods are being used in medical practices, albeit on a smaller scale.

What to do

A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.

If you think this is something your organisation needs, please contact us at [email protected]

You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.

New espionage?

For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.

The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.

What is different then?

The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.

“The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong

Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.

How can my organisation protect itself?

– the aim of the war is to gain the support of the population rather than control of territory

– most of the population will be neutral in the conflict.

– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution

– in the guerilla phase of an insurgency, a government must secure its base areas first

Using these principles we can identify a strategic direction

The way to deal with an insurgency is through hearts and minds.

Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.

Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.

Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.

By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.

Such an organisation is indeed resilient. Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.

In the digital world it is very easy to create data, very difficult to get rid of it

Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.

What is data classification?

It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.

Graphic by Mark Smiciklas, Flickr.com/photos/intersectionconsulting

Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.

However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.

In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!

So how could governments shift the classification balance, improve security and improve efficiency in agencies?

The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a piece of data is over-classified. However their agency has to wear the added expense.

Gentle readers, we have a problem of incentive imbalance!

Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.

If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.

A plan for implementation

So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?

Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.

Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.

Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.

Require each agency to report the numbers of classified data produced.

Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.

Agencies that produced fewer pieces of data than the previous year would receive a windfall.

That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.

ENISA, Europe’s network and information security agency, just released a report looking at cloud computing from the perspective of critical infrastructure protection.

ENISA asserts that 80% of large organisations will be using cloud solutions within two years. The approach that ENISA takes is nicely balanced, pointing out that cloud adoption is both good and bad in terms of critical infrastructure protection. From an organisational perspective, the message is similar

Like any information security endeavour, adoption of cloud boils down to a series of risk decisions. There is of course also a question of organisational and possibly national resilience in the case of critical infrastructure to adapt if any threats are realised.

However, it is possible to use the cloud securely for many applications. It requires resources devoted to intelligent system design. This means that the business case for cloud adoption is not one necessarily about saving money. One company that uses the Amazon service, but did not get affected in 2011 was Netflix. Netflix has a very clever piece of software called Chaosmonkey which tests its environment during working hours with the intention that systems are fixed before they break. Netflix released the software as open source in July 2012. http://techblog.netflix.com/2012/07/chaos-monkey-released-into-wild.html

STRENGTHS

Cloud providers can afford people, processes and equipment which is state of the art

Cloud providers able to offer very good uptime and good backup.

Cloud provides good mitigation against natural disasters

Elasticity – Cloud offerings are able to increase and decrease load dynamically, this allows them to mitigate against DDOS attacks

Cloud providers located in different jurisdictions add complexity to the compliance and governance of organisations.

OPPORTUNITIES

Better collaboration with other organisations, integration of supply chain across disparate organisations and locations.

Organisations that utilise cloud well can become more resilient eg Netflix

Code optimisation

THREATS

Cloud providers concentrate datasets so their ‘attractiveness’ as a target increases (aggregation)

An outage in one cloud provider can have consequences for multiple organisations. Additional issues may become apparent if those organisations are all providers of the same critical infrastructure.
A legal dispute related to data owned by one organisation which is located in the cloud might affect others

The threat from human actors can be seen to be the combination of intent and capability. Both organised crime and nation states have the capability to attack cloud providers. Their intent is obviously higher if they assess that they can access several prize organisations through a single attack.

I’m struck by the thought that the emergence of cloud should mean that risks to the critical infrastructure from natural disasters and mistakes should decrease. However, on the other hand, cloud providers are such attractive targets, that the risks from human (active) threats are likely to be higher.

Importantly, the report makes a number of useful suggestions for organisations that are moving towards the use of cloud solutions in terms of risk assessment, security measures and recovery and reporting of incidents.

The Australian Attorney-General’s Department released the 2012 Cyber Crime and Security Survey on 18 February. Reading the press that accompanied it eg Cyber criminals struck one in five top Australian businesses, and similar surveys in past years, you might be forgiven for thinking that we are on the precipice of a cyber armageddon!

There is no denying that the threat, vulnerability and consequence of cyber attack to organisations is increasing steeply.
Luckily all is not lost, organisations can minimise their attack surface significantly. How, by taking a holistic approach to their information security which blends appropriate physical, personnel and IT security mitigations. This, with a well thought out response and recovery plan can produce layered security and lead to a resilient organisation able to sail the ‘cyber seas’ with confidence.

In the IT space, doing the basics well can protect against all but the most sophisticated attacks

The survey in question was conducted on behalf of the Australian Computer Emergency Response Team (CERT.au), part of the Attorney-General’s Department. CERT’s 450 client organisations were sent the survey and 255 responded. Whilst the survey numbers are small and therefore become statistically unreliable very quickly, the clients of CERT.au are vital to Australia. Generally CERT.au client organisations are part of Australia’s critical infrastructure. They include utilities, telecommunications providers, financial institutions and also mining companies.

That said, there are some interesting figures.

22% of respondents (around 55) said that they knew that they had had a cyber incident in the last 12 months. Of more concern were that 9% of respondents reported that they “didn’t know”.

50% of respondents (ie 127) said considered that they had been subjected to targeted attacks.

The most common reported cyber incident was ‘loss of a notebook / mobile device’ ; followed by virus infection; trojan/rootkit; unauthorised access; theft /breach of confidential information; and denial of service attack. This seems odd, I find it difficult to reconcile loss of a laptop with hackers sitting in bunkers outside Shanghai and target key espionage targets. The concerning question is whether respondent companies are only seeing the easy to spot attacks ie missing laptop, computer not working because of virus etc and not the more sophisticated level, ie stealth attack that exfiltrates data to foreign lands.

The survey authors also reiterate an oft made point about the ‘trusted insider’ that

“Many companies spend the majority of their IT security budget on protection from external attacks. But the figures above serve as a reminder that internal controls and measures are also important, to ensure that internal risks are also managed”.This is a relic of the perimeter approach to information security, the us and them approach. It doesn’t work anymore because the network has no discernible boundary in the modern interconnected organisation.

Delving further into the report it is interesting to look at contributing factors to attacks. The relevant table is replicated here. Almost all of the contributing factors can be wholly mitigated, with the possible exception of “attractiveness of your organisation to attack” and arguably “Sophisticated attacker skill which defeated counter-measures in place”.

In any case, we sometimes forget that the spectrum of resilience involves prevention preparation, response and recovery. Organisations need to be agile, they need to work hard to prevent and prepare for loss or compromise of sensitive information, but accept that it is not possible to repel every attack. For this reason, resources need to be allocated to response and recovery.

Another important point is about the vital role of computer emergency response teams (CERTs). CERTs, are like the white blood cells in our bodies, they share information which help their clients protect themselves.
The other way to think about it is that the bad guys take advantage of the information superhighway by sharing information at the speed of light about vulnerabilities in different systems and new attack techniques, so why shouldn’t the good guys? I’ve written about this previously. The problem is always, that the bad guys have an advantage. As the IRA said after the Brighton bombings in 1984 which almost wiped out the then UK Prime Minister Margaret Thatcher….

Energy companies will need to significantly increase their focus on cyber security in the next three to five years if they wish to keep ahead of the increasing risks to their business from direct cyber attack and malware.

The Oil and Gas sector will need to invest around $1.87 Bn USD into upgrading its SCADA* and general corporate systems to defend against direct cyber attack and malware, according to technology intelligence company, ABI research.

There have been several attacks targeted at oil and gas firms in the last two years, including:

Night Dragon in 2011. Originating from China according to McAfee. The attacks were a mixture of social engineering and unsophisticated hacks with the aim of gaining access to corporate forecasts and market intelligence from petrochemical firms. Most alarming was the assertion by McAfee that it had been undetected for up to four years.

Shamoon targeted Saudi Aramco in 2012, taking out up to 30,000 workstations. This attack has been linked to (and disputed by) Iranian interests.

The examples given are or attacks on energy companies’ corporate systems. The fear is that issue motivated groups or nation states might now choose to attack poorly protected SCADA systems owned by oil and gas companies. The ability to do this has been demonstrated in the wild with Stuxnet, but not on energy installations.

What are the key security issues surrounding SCADA systems?

The general observation that SCADA systems are built for throughput, and security is bolted on as an afterthought, rather than being built in at the design stage.

An overemphasis on security through obscurity, with the belief that the use of specialised protocols and proprietary hardware provides more than cursory protection against cyber-attack. Better to assume the enemy knows or will know the system.

Over-reliance on physical security to provide protection

An assumption that the SCADA system can be kept unattached to the Internet and therefore will be secure.

A bit of background.

SCADA systems have been around since the mainframe era. However, these systems were based on proprietary hardware and software and they weren’t connected to open systems. The main threat to these systems was the ‘trusted insider’, such as when a disgruntled contractor, Vitek Boden used his knowledge and some ‘acquired’ proprietary hardware to cause sewage to overflow in a plant in Maroochy Shire, Queensland.

In the 1990’s, SCADA systems began to be built using the same technology as the Internet (TCP/IP) and early this century, companies began to connect these systems to the Internet. In 2010, Stuxnet apparently caused centrifuges to spin out of control and self-destruct in nuclear processing plants at Natanz in Iran. Attribution is difficult, but the finger is alternately pointed at Israel and the USA (or both).

What next?

Organisations, particularly in the oil and gas industry need to change their approach to cybersecurity and take a holistic and strategic view. This starts at the board level and requires a cultural change. This does not necessarily mean buying the latest machine that goes ‘ping’. It does mean thinking about how to integrate security at the core of the business, just like finance and HR.

I was asked to give a snapshot about what I thought the big risks for organisations were likely to be in the cyber world in 2013. Below are eight trends that I think are more likely than not to be important in the next twelve months.

1 Boards continue to struggle to consider cyber risks in a holistic manner

With the exception of technology based companies, most government and private sector boards lack directors with a good understanding of their cyber risks. However all organisations are becoming more dependent on electronic information and commerce. This brings with it both opportunities and threats which are not well understood by boards. Good risk management depends on the board setting the risk tolerance for the organisation. Risk and reward are two sides of the same coin.

Senior Management must create a culture where they acknowledge that cyber risk is evolving and encourage sharing of incident information with trusted partners in government, police, industry and with their service providers. Moreover, if boards see problems in sharing information, they should lobby governments to improve the conditions for sharing.

2 BYOD goes ballistic – deperimeterisation is forced upon organisations, even when they aren’t ready.

Many organisations are in denial about the threat that ‘bring your own device’ (BYOD) policies make them bear. Together BYOD and Cloud technologies will force deperimeterisation on organisations. The pressure will come from primarily within as their profit centres demand more connectivity to develop new and rapidly changing business relationships.

In the long-term, this is likely to be positive because it will drive down costs and increase flexibility for organisations. But only the resilient will survive the transition. Even resilient organisations will not go through this deperimeterisation unchanged. This process is likely to cause rude shocks for those organisations and their boards that are not prepared and do not invest prudently in technology and more importantly people to transition smoothly.

3 Attacks that intentionally destroy data

The other threat which may arise is where the attacker intentionally destroys data, usually after stealing it. This may be as an act of protest by an issue motivated group, the opposite of Wikileaks if you think of it. Or, it could be undertaken by organised crime against either government agencies or business. Attacks of this nature could cripple many organisations that do not have hot-backup, even then the question of data integrity comes into play. Boards will need to think carefully about the ‘three cornered stool’ of confidentiality, integrity and availability’ relative to their organisations.

Ransomware, where data is encrypted by an attacker to become inaccessible to the owner until a ransom is paid will increase. However, the problem is likely to remain primarily at the home user and SME level. This is less due to technical difficulties with the attacks and more because of the standard problem for such scams – how to extract money when the authorities have been alerted and are on the hunt. Technologies such as Bitcoin will find increasing use here.

4 More sophisticated attacks by organised crime and nation states.

Here’s an easy one. I am more certain of this prediction than any of the others. We are in a cyber arms race between the attackers and the defenders. The advantage currently lies with the attackers. Since the possibility of an international agreement to curb cyberattacks is negligible as per my cyber law of the sea post, I see no let up in 2013.

5 Privacy continues to increase as a concern for governments in most western countries

In Australia, the Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 in November, tightening the Commonwealth Privacy Act 1988, which applies to Commonwealth agencies and private sector organisations. A summary of the changes are here.

In the same month, the European Network and Information Security Agency (ENISA) published a report about the right to be forgotten. This report proposes a regulation that would allow a European citizen to have their personal data destroyed on request unless there were legitimate grounds for retention.

Large multinationals, like Facebook are going to continue to face scrutiny by privacy advocates and governments around the world about the data that they collect and mine. The new version of Microsoft Internet Explorer set a cat among the pigeons when it was shipped with the ‘do not track’ setting on by default. The Digital Advertising Alliance issued a statement that “Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice”.

It will be interesting to see who wins. Consumers have shown themselves to be willing to choose services which commercialise their information in return for real value. The key here is choice.

6 Failure by government to protect private sector organisations causes more of them to create CERTs

In a number of countries national Computer Emergency Response Teams have been created with much fanfare with the aim to share information between government and industry about the threats to the critical infrastructure. In general it hasn’t worked well. Western economies are dependent on infrastructure that is primarily in the hands of private enterprise, so all the players understand that neither government, nor industry can ‘solve cyber’ on their own. In a federal system like Australia or the US, the problem is exponentially harder.

At its heart, the problem is not technical, it is trust. Security and law enforcement have long come to the CERTs with their hands out asking for information, but unwilling to share what they knew about. Industry doesn’t trust government or their competitors. Meanwhile, the attackers make hay.

In a similar way to international negotiations, when multilateral agreements fail, bilateral ones can take their place (messily). Increasingly we are likely to see technology dependent organisations setting up their own CERTs and working at the technical level with like organisations, at the same time, bypassing central government CERTs and inward focussed intelligence organisations.

7 Organisations start to concern themselves more with cyber-dependencies

Organisations have long understood in the physical world that if their supply chain is attacked or degraded, then their ability to function is impeded. Without wheels from factory A, factory B can’t assemble cars. Therefore Factory B is keen to ensure that Factory A survives, but it’s also keen to make sure that the tyres from Factory A don’t cause car accidents. A company’s dependencies do not stop at their front door.

This principle needs to be extended actively into the cyber space. Most organisations do not develop all their technology in house. Vulnerabilities in hardware and software operated by their suppliers are of prime importance. Defence companies have long needed to take this account, but this thinking will expand to more parts of the economy.

With deperimeterisation upon us, organisations must assume that attackers can enter their networks. Only through good identity and access management can an organisation potentially protect itself. My post, Trusted Identity – a primer took a longer look at this trend.

If an organisation has no perimeter, it becomes impossible to work out who should access what, if there is not a good identity system in place. Governments are realising the same. Essentially if they are to provide the services that their citizens want, then they have to have ways of identifying for certain what those citizens are entitled to.

In 2013, we will see some results from the US efforts (NSTIC) to pilot programs to develop trusted identities. Business is taking a big part in this, with leadership from the likes of Paypal.

In Australia, there are varying signals coming from the Commonwealth Government. E-Health is moving forward, albeit slowly, and so is online Service Delivery Reform which will also depend on identity at its core. There has not been much news of late about the Cyber white paper, which was due in the second half of 2012.

I was at the launch last Thursday of ‘Security is your business 2’. If you are interested or responsible for Enterprise Risk Management on a practical level, then this DVD will help your organisation.

The DVD includes interviews with Australian and overseas (UK mostly) security literati talking about a number of issues related to ERM. It builds upon the well regarded ‘Security is your business’ but stands alone.

Apart from the fact that I know and respect a number of the talking heads on the dvd, I have no association with the enterprise.

Last week Pizza Hut Australia admitted that its cyber-defences had been breached. Unfortunately the attackers did get hold of customers’ names and addresses. Technically it seems that Pizza Hut didn’t get breached, but the website providers who host their site did.

From a privacy perspective, its time to use the ‘pub’ test, That is – what would your level of unhappiness be if the world knew that you liked the meatlover’s supreme with extra cheese and lived at 32 Rosegardens Road, Morphett Vale? I think not very high. The important thing is that the company claims credit card details didn’t get stolen.

Pizza – not Pizza Hut

My sources tell me that the hackers didn’t get credit card details because this information is held in a separate and better-protected database by a specialised payment gateway. I hope they’re right!

There are a couple of important lessons for organisations to learn from this breach. Firstly by developing granular controls that separate data by its value and what it was used for, organisations like Pizza Hut can develop protocols for their security that give the best mix of data availability and confidentiality. As an example, there are far more parts of the business that benefit from knowing where customers live and who they are than need the credit details. If the data isn’t separated, the organisation can’t make the best use of the data and ensure security at the same time – they have to do one or other. But with granular controls, the marketing department can use addresses and telephone numbers to plan promotions and the planning department can work out where to open the next store, but they don’t need to know credit card details.

The other point is about risk transfer. Although transferring risk to a third-party is an acceptable mitigation according to the risk management standard ISO31000, organisational reputation can’t be transferred. If your company wants to keep its good name when it gets hacked, it needs to have thought about recovery and restoration. Blaming the web provider won’t cut it with customers if your organisation is anything bigger than the local fish and chippery. Generally, the larger the company, the bigger the reputation; more so for .gov

There has been a gradual, but definite change in the way that cybersecurity professionals talk about breaches. Until around 2001, people talked about the possibility of being breached online. Now this has changed from ‘if you get breached’ to ‘when you get breached’.

Essentially, if information is available on Internet facing systems, then it is more a matter of time and luck as to when your system gets done over. This is something security professionals need to communicate with the senior management of the organisation.

For Pizza Hut, this recent event will probably contribute to its longevity and improve its resilience. Research is showing that organisations that undergo small shocks are more ready for the black swans of the future.

However, they should not rest on their laurels, in the aftermath of any breach, an organisation needs to examine how to reduce the risk of further breaches. Some of the questions I ask in such situations are (in no particular order):

Does the organisation need to think further about the balance between confidentiality of personal information and the availability to internet facing systems.

From a marketing and public relations perspective is the organisation talking to its customers to show that the organisation is taking their personal information seriously;

What changes does the organisation need to make in terms of digital evidence gathering – was this adequate enough to deter future attacks – in the long term the rule of law is the only way to reduce the power of the attackers;

Did the organisation understand how to respond to the breach, does this need regular exercising;

Was there an ageed direction from senior management in the event of a breach, so that the technical staff could ‘get on with the job’ as quickly as possible;

Are the relationships with service providers adequate, were the levels of service and measures taken to recover sufficient.

It is important to recognise that the best value gains for the organisation come not from IT changes like forensics, but business process rearrangement.